Vulnerability-Lookup

CVE-2015-8269 (GCVE-0-2015-8269)

Vulnerability from cvelistv5 – Published: 2016-02-04 11:00 – Updated: 2024-08-06 08:13

Summary

Severity ?

No CVSS data available.

CWE

Assigner

certcc

References

URL

GSD-2015-8269

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2015-8269

Aliases

CVE-2015-8269

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-8269",
    "description": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number.",
    "id": "GSD-2015-8269"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-8269"
      ],
      "details": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number.",
      "id": "GSD-2015-8269",
      "modified": "2023-12-13T01:20:03.853147Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cert@cert.org",
        "ID": "CVE-2015-8269",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW",
            "refsource": "CONFIRM",
            "url": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW"
          },
          {
            "name": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform",
            "refsource": "MISC",
            "url": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform"
          },
          {
            "name": "VU#719736",
            "refsource": "CERT-VN",
            "url": "https://www.kb.cert.org/vuls/id/719736"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:h:fisher-price:smart_toy_bear:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2015-8269"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform",
              "refsource": "MISC",
              "tags": [],
              "url": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform"
            },
            {
              "name": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW",
              "refsource": "CONFIRM",
              "tags": [
                "US Government Resource"
              ],
              "url": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW"
            },
            {
              "name": "VU#719736",
              "refsource": "CERT-VN",
              "tags": [
                "US Government Resource"
              ],
              "url": "https://www.kb.cert.org/vuls/id/719736"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM"
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2016-02-24T11:34Z",
      "publishedDate": "2016-02-04T11:59Z"
    }
  }
}

FKIE_CVE-2015-8269

Vulnerability from fkie_nvd - Published: 2016-02-04 11:59 - Updated: 2025-04-12 10:46

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cret@cert.org	https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform
cret@cert.org	https://www.kb.cert.org/vuls/id/719736	US Government Resource
cret@cert.org	https://www.kb.cert.org/vuls/id/GWAN-A6LPPW	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/719736	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/GWAN-A6LPPW	US Government Resource

Impacted products

	Vendor	Product	Version
	fisher-price	smart_toy_bear	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:fisher-price:smart_toy_bear:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A25FC051-D8CF-4ED9-BE77-765B5C19884C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number."
    },
    {
      "lang": "es",
      "value": "La API en dispositivos Fisher-Price Smart Toy Bear permite a atacantes remotos obtener informaci\u00f3n sensible o modificar datos aprovechando la presencia en un \u00e1rea de cobertura de red 802.11 e introduciendo un n\u00famero de cuenta."
    }
  ],
  "id": "CVE-2015-8269",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-02-04T11:59:00.113",
  "references": [
    {
      "source": "cret@cert.org",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.kb.cert.org/vuls/id/719736"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.kb.cert.org/vuls/id/719736"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2016-00991

Vulnerability from cnvd - Published: 2016-02-16

Title

Mattel Fisher-Price Smart Toy Bear API信息泄露漏洞

Description

Mattel Fisher-Price Smart Toy Bear是一个WiFi连接的物联网（IOT）智能玩具熊。 Mattel Fisher-Price Smart Toy Bear设备上的API中存在安全漏洞，允许远程攻击者可利用该漏洞提交特殊请求获取敏感信息或修改数据。

Severity

中

Patch Name

Mattel Fisher-Price Smart Toy Bear API信息泄露漏洞的补丁

Patch Description

Mattel Fisher-Price Smart Toy Bear是一个WiFi连接的物联网（IOT）智能玩具熊。 Mattel Fisher-Price Smart Toy Bear设备上的API中存在安全漏洞，允许远程攻击者可利用该漏洞提交特殊请求获取敏感信息或修改数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： http://www.mattel.com/

Reference

https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform

Impacted products

Name
Mattel Fisher-Price Smart Toy Bear

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-8269"
    }
  },
  "description": "Mattel Fisher-Price Smart Toy Bear\u662f\u4e00\u4e2aWiFi\u8fde\u63a5\u7684\u7269\u8054\u7f51\uff08IOT\uff09\u667a\u80fd\u73a9\u5177\u718a\u3002\r\n\r\nMattel Fisher-Price Smart Toy Bear\u8bbe\u5907\u4e0a\u7684API\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u8bf7\u6c42\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u4fee\u6539\u6570\u636e\u3002",
  "discovererName": "Mark Stanislav of Rapid7, Inc.",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www.mattel.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-00991",
  "openTime": "2016-02-16",
  "patchDescription": "Mattel Fisher-Price Smart Toy Bear\u662f\u4e00\u4e2aWiFi\u8fde\u63a5\u7684\u7269\u8054\u7f51\uff08IOT\uff09\u667a\u80fd\u73a9\u5177\u718a\u3002\r\n\r\nMattel Fisher-Price Smart Toy Bear\u8bbe\u5907\u4e0a\u7684API\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u8bf7\u6c42\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u4fee\u6539\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mattel Fisher-Price Smart Toy Bear API\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Mattel Fisher-Price Smart Toy Bear"
  },
  "referenceLink": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform",
  "serverity": "\u4e2d",
  "submitTime": "2016-02-08",
  "title": "Mattel Fisher-Price Smart Toy Bear API\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

VAR-201602-0182

Vulnerability from variot - Updated: 2025-04-12 23:24

The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network's coverage area and entering an account number. Fisher price Smart Toy Web services for multiple API The call is not properly authenticated. Also, Smart Toy Fragile versions of toys Android OS May have been used. Fisher price Smart Toy Bear Is Wi-Fi With connection function IoT It is a toy. This toy uses the network function to provide further interaction with the child, the user. Inappropriate authentication (CWE-287) - CVE-2015-8269 Fisher price Smart Toy Has registered a user account with a predictable number. Smart Toy An attacker with one account can execute queries and commands against other accounts. An attacker can obtain information about other users, such as name, date of birth, and gender, by issuing a query. It is also possible to edit some information of other users and associate registered toys with other accounts. CWE-287: Improper Authentication http://cwe.mitre.org/data/definitions/287.html Rapid7 According to researchers, not all data in the account can be changed or retrieved and the impact is limited. Also, this researcher Smart Toy But Android 4.4 (KitKat) It is supposed to work with. At the moment, Smart Toy Latest for product Android It is unknown whether security patches have been applied. For more information, Rapid7 See the security advisory for. Rapid7 Security Advisory for https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform Fisher price Smart Toy I will provide a Mattel, Inc. Says: "We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this. We have recently been using Fisher Price Wi-Fi Connection Smart Toy Bear I learned about security vulnerabilities. This issue has already been fixed and no unauthorized access to customer information has been confirmed. Mattel At FisherPrice, we believe that the security of customers and their personal information is extremely important, and we will work to quickly resolve such vulnerabilities. "A remote attacker may obtain or change the personal information of the child or parent associated with the product. There is also the possibility of getting a toy. Fisher-Price Smart Toy is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions like modifying private information or take ownership of the toy

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201602-0182",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "smart toy bear",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fisher price",
        "version": "*"
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "mattel",
        "version": null
      },
      {
        "model": "fisher price smart toy web services",
        "scope": null,
        "trust": 0.8,
        "vendor": "mattel",
        "version": null
      },
      {
        "model": "fisher-price smart toy bear",
        "scope": null,
        "trust": 0.6,
        "vendor": "mattel",
        "version": null
      },
      {
        "model": "smart toy bear",
        "scope": null,
        "trust": 0.6,
        "vendor": "fisher price",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/h:fisher-price:smart_toy_bear",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Rapid7",
    "sources": [
      {
        "db": "BID",
        "id": "82404"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2015-8269",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "CVE-2015-8269",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "availabilityRequirement": "NOT DEFINED",
            "baseScore": 6.5,
            "collateralDamagePotential": "NOT DEFINED",
            "confidentialityImpact": "PARTIAL",
            "confidentialityRequirement": "NOT DEFINED",
            "enviromentalScore": 4.4,
            "exploitability": "PROOF-OF-CONCEPT",
            "exploitabilityScore": 8.0,
            "id": "CVE-2015-8269",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "integrityRequirement": "NOT DEFINED",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "remediationLevel": "UNAVAILABLE",
            "reportConfidence": "CONFIRMED",
            "severity": "MEDIUM",
            "targetDistribution": "MEDIUM",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vector_string": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "CNVD-2016-00991",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.6,
            "id": "CVE-2015-8269",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2015-8269",
            "trust": 1.6,
            "value": "MEDIUM"
          },
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2015-8269",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2016-00991",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201602-131",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2015-8269",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number. Fisher price Smart Toy Web services for multiple API The call is not properly authenticated. Also, Smart Toy Fragile versions of toys Android OS May have been used. Fisher price Smart Toy Bear Is Wi-Fi With connection function IoT It is a toy. This toy uses the network function to provide further interaction with the child, the user. Inappropriate authentication (CWE-287) - CVE-2015-8269 Fisher price Smart Toy Has registered a user account with a predictable number. Smart Toy An attacker with one account can execute queries and commands against other accounts. An attacker can obtain information about other users, such as name, date of birth, and gender, by issuing a query. It is also possible to edit some information of other users and associate registered toys with other accounts. CWE-287: Improper Authentication http://cwe.mitre.org/data/definitions/287.html Rapid7 According to researchers, not all data in the account can be changed or retrieved and the impact is limited. Also, this researcher Smart Toy But Android 4.4 (KitKat) It is supposed to work with. At the moment, Smart Toy Latest for product Android It is unknown whether security patches have been applied. For more information, Rapid7 See the security advisory for. Rapid7 Security Advisory for https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform Fisher price Smart Toy I will provide a Mattel, Inc. Says: \"We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this. We have recently been using Fisher Price Wi-Fi Connection Smart Toy Bear I learned about security vulnerabilities. This issue has already been fixed and no unauthorized access to customer information has been confirmed. Mattel At FisherPrice, we believe that the security of customers and their personal information is extremely important, and we will work to quickly resolve such vulnerabilities. \"A remote attacker may obtain or change the personal information of the child or parent associated with the product. There is also the possibility of getting a toy. Fisher-Price Smart Toy is prone to an authentication-bypass vulnerability. \nAn attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions like modifying private information or take ownership of the toy",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      },
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "db": "BID",
        "id": "82404"
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269"
      }
    ],
    "trust": 3.78
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.kb.cert.org/vuls/id/719736",
        "trust": 0.8,
        "type": "poc"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#719736",
        "trust": 3.6
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269",
        "trust": 3.4
      },
      {
        "db": "JVN",
        "id": "JVNVU99349751",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131",
        "trust": 0.6
      },
      {
        "db": "BID",
        "id": "82404",
        "trust": 0.3
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "db": "BID",
        "id": "82404"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "id": "VAR-201602-0182",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      }
    ],
    "trust": 1.6
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      }
    ]
  },
  "last_update_date": "2025-04-12T23:24:31.457000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Smart Toy Bear",
        "trust": 0.8,
        "url": "http://www.fisher-price.com/shop/smart-toys--174%3B/smart-toy-bear-dnv31"
      },
      {
        "title": "\u30c8\u30c3\u30d7\u30da\u30fc\u30b8",
        "trust": 0.8,
        "url": "http://www.fisher-price.com/ja_JP/index.html"
      },
      {
        "title": "MattelFisher-PriceSmartToyBearAPI Information Disclosure Vulnerability Patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/71369"
      },
      {
        "title": "Mattel Fisher-Price Smart Toy Bear Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60081"
      },
      {
        "title": "IoT-PenTesting-Research-",
        "trust": 0.1,
        "url": "https://github.com/RedaMastouri/IoT-PenTesting-Research- "
      },
      {
        "title": "IOt-Hack",
        "trust": 0.1,
        "url": "https://github.com/mrnamp/IOt-Hack "
      },
      {
        "title": "",
        "trust": 0.1,
        "url": "https://github.com/MdTauheedAlam/IOT-Hacks "
      },
      {
        "title": "IOTHacks",
        "trust": 0.1,
        "url": "https://github.com/AliyaValieva/IOTHacks "
      },
      {
        "title": "awesome-iot-hacks",
        "trust": 0.1,
        "url": "https://github.com/nebgnahz/awesome-iot-hacks "
      },
      {
        "title": "Awesome-Hardware-and-IoT-Hacking",
        "trust": 0.1,
        "url": "https://github.com/CyberSecurityUP/Awesome-Hardware-and-IoT-Hacking "
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-287",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 4.2,
        "url": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform"
      },
      {
        "trust": 2.9,
        "url": "https://www.kb.cert.org/vuls/id/719736"
      },
      {
        "trust": 2.5,
        "url": "https://www.kb.cert.org/vuls/id/gwan-a6lppw"
      },
      {
        "trust": 1.1,
        "url": "http://www.fisher-price.com/shop/smart-toys--174%3b/smart-toy-bear-dnv31"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8269"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/vu/jvnvu99349751/index.html"
      },
      {
        "trust": 0.8,
        "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8269"
      },
      {
        "trust": 0.8,
        "url": "http://fortune.com/2016/02/02/fisher-price-smart-toy-bear-data-leak/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/287.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/redamastouri/iot-pentesting-research-"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/nebgnahz/awesome-iot-hacks"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "db": "BID",
        "id": "82404"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "db": "BID",
        "id": "82404"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-02-02T00:00:00",
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "date": "2016-02-16T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "date": "2016-02-04T00:00:00",
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "date": "2016-02-02T00:00:00",
        "db": "BID",
        "id": "82404"
      },
      {
        "date": "2016-02-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "date": "2016-02-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "date": "2016-02-04T11:59:00.113000",
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-02-02T00:00:00",
        "db": "CERT/CC",
        "id": "VU#719736"
      },
      {
        "date": "2016-02-16T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-00991"
      },
      {
        "date": "2016-02-24T00:00:00",
        "db": "VULMON",
        "id": "CVE-2015-8269"
      },
      {
        "date": "2016-07-05T21:21:00",
        "db": "BID",
        "id": "82404"
      },
      {
        "date": "2016-02-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-001344"
      },
      {
        "date": "2016-02-05T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      },
      {
        "date": "2025-04-12T10:46:40.837000",
        "db": "NVD",
        "id": "CVE-2015-8269"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fisher-Price Smart Toy platform allows some unauthenticated web API commands",
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#719736"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "authorization issue",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-131"
      }
    ],
    "trust": 0.6
  }
}

GHSA-7XV5-5F2F-VFQ3

Vulnerability from github – Published: 2022-05-17 03:58 – Updated: 2022-05-17 03:58

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2015-8269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-02-04T11:59:00Z",
    "severity": "HIGH"
  },
  "details": "The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network\u0027s coverage area and entering an account number.",
  "id": "GHSA-7xv5-5f2f-vfq3",
  "modified": "2022-05-17T03:58:44Z",
  "published": "2022-05-17T03:58:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8269"
    },
    {
      "type": "WEB",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-smart-toy-hereo-gps-platform"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/719736"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/GWAN-A6LPPW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-8269 (GCVE-0-2015-8269)

GSD-2015-8269

FKIE_CVE-2015-8269

CNVD-2016-00991

VAR-201602-0182

GHSA-7XV5-5F2F-VFQ3

Tags

Sightings

Nomenclature